Enabling FIDO2/WebAuthn support for remotely managed users
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 542 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/61967 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 2023138 / 542
2
5
10
14
15
16
22
24
27
29
31
36
43
48
56
63
74
78
83
87
89
95
96
99
104
106
107
117
119
121
122
125
126
128
130
132
134
135
136
141
143
146
148
152
155
157
159
161
165
166
168
170
173
176
180
181
185
191
194
196
197
198
199
206
207
209
210
211
212
216
219
220
227
228
229
231
232
233
236
250
252
256
258
260
263
264
267
271
273
275
276
278
282
286
292
293
298
299
300
302
312
316
321
322
324
339
341
342
343
344
351
352
354
355
356
357
359
369
370
372
373
376
378
379
380
382
383
387
390
394
395
401
405
406
410
411
413
415
416
421
426
430
437
438
440
441
443
444
445
446
448
449
450
451
458
464
468
472
475
476
479
481
493
494
498
499
502
509
513
516
517
520
522
524
525
531
534
535
537
538
541
00:00
Pointer (computer programming)James Waddell Alexander IIPresentation of a groupTrailDemo (music)Metric systemLaptopWordSpacetimeSound effectComputer animation
02:16
LaptopComputer hardwareQuicksortTouchscreenToken ringBitBootingSet (mathematics)Latent heatMereologyKey (cryptography)Web 2.0Message passingComputer animation
04:04
PasswordData storage deviceData managementComputer animation
04:26
PasswordMereologyComputer animation
05:11
James Waddell Alexander IISoftwareSoftware testingFeedbackIdentity managementMultiplication signFreewareComputer animation
05:37
12 (number)AuthenticationThread (computing)WebsiteLocal ringSystem programmingMountain passAuthenticationPoint (geometry)Combinational logicMereologyModule (mathematics)MathematicsServer (computing)Cartesian coordinate systemSystem programmingIdentity managementVideo game consoleQuicksortVirtual machineClient (computing)Category of beingDifferent (Kate Ryan album)Web browserForm (programming)Web 2.0Remote procedure callLoginLatent heatComputer animation
08:57
Model theorySystem programmingIdentity managementSign (mathematics)Standard deviationInformation privacySet (mathematics)Strategy gameEnterprise architectureOffice suiteData managementFormal verificationAuthenticationPlastikkarteToken ringStaff (military)Point cloudService (economics)CoroutineCodierung <Programmierung>NumberCommunications protocolAttribute grammarImage registrationLocal ringKerberos <Kryptologie>PressureSelf-organizationSystem administratorForm (programming)AuthenticationNumberState of matterMereologyGroup actionSet (mathematics)BitInformation securityPlastikkarteHeat transferCartesian coordinate systemFormal verificationIntegrated development environmentServer (computing)Office suiteIdentity managementComputer animation
13:01
Server (computing)Kerberos <Kryptologie>Local area networkAuthenticationTime domainNumberGroup actionSystem programmingDirectory serviceType theoryPasswordPublic key certificateLoginHierarchyJames Waddell Alexander IIGastropod shellPrincipal idealAliasingEmailAddress spaceTexture mappingService (economics)Local GroupError messagePersonal identification numberRevision controlImplementationCASE <Informatik>Latent heatPresentation of a groupAttribute grammarObject (grammar)Server (computing)InformationRow (database)Communications protocolKerberos <Kryptologie>BitMereologyMappingAuthenticationDistribution (mathematics)Group actionSpring (hydrology)Level (video gaming)Library (computing)Social classComputer animation
16:21
SoftwareSoftware testingView (database)Prisoner's dilemmaPresentation of a groupDemo (music)outputString (computer science)MereologyTouchscreenMessage passingComputer animationLecture/Conference
17:03
Repository (publishing)Software testingRootkitServer (computing)Wrapper (data mining)BlogComputer animation
17:55
System administratorSystem programmingDemo (music)Key (cryptography)BitTrailFeedbackQuicksortAuthenticationLevel (video gaming)Computer hardwarePresentation of a groupComputer animation
19:27
NumberGroup actionLocal GroupKerberos <Kryptologie>Directory serviceType theoryAuthenticationPasswordPublic key certificateLoginHierarchyJames Waddell Alexander IIGastropod shellPrincipal idealAliasingEmailAddress spaceTexture mappingSystem programmingSource codeImplementationAuthenticationComputer hardwareFlow separationGraphical user interfaceMessage passingKey (cryptography)Module (mathematics)Hash functionToken ringLoginMultiplication signContext awarenessMappingPlastikkarteIdentity managementPlanningPresentation of a groupMoment (mathematics)MereologyDifferent (Kate Ryan album)CASE <Informatik>System programmingFingerprintComputer animation
24:26
Computer animationProgram flowchart
Transcript: English(auto-generated)
00:06
Okay, so, hello everyone. We'll start in minutes. The talk will have 20 minutes, and after that there will be space for questions. If you have questions, please write them into the metrics room, or we will try to run around with the mic. So, thank you all for
00:26
coming, and I will give a word to Alexander Bokovoy, who will have the first presentation about enabling Fido in support for remotely managed users. Yes. Thank you, Jakub. Thank you everyone who came today in this drizzle day into a
00:51
room that is not so easy to find. Let's fight security with obscurity. Okay. The talk
01:03
I'm giving here is actually, it was supposed to be done by Iker, who drives this effort at Red Hat, and I have another talk in the afternoon in the main tracks about passwordless Linux, where we are. This is part of it, but not the full stuff, so it's kind of
01:26
a preview of where we are, hopefully with demos and without demo effect. Let's go. I hope I will be able to get something working. Nice, my laptop actually locked
01:47
up. Really? Yeah. I'm trying. It doesn't want to. Okay. We'll get there. No, no, no.
02:22
So the fun part is, this is old laptop. This is really old laptop. My actual laptop got the battery puffed up. So it literally looks like this now. It's sort of a hat, right?
02:49
Here we're working there. But it means that I cannot fly with that kind of laptop. And this one is maybe six or seven years old, so it's a bit surprisingly slow for
03:02
contemporary software. We have boot in Fedora. Okay. So this talk is about a very simple thing. Basically, this is the hardware incorporation of what people call nowadays
03:24
as a pass key or a web orphan, which is known as FIDO2 set of specifications. And actually, we start with a small demo, right? If I get the screen working. Okay. I don't know
03:45
what you see there. Maybe you're not seeing anything. But I actually was able to log in with this token. And what I will be talking about is how I actually get it. Let's see.
04:09
Yeah. Yeah. This is the because I logged in without password, the password storage manager asks me to enter the password to unlock the storage manager, not the not
04:28
to log in with the password. That's another part of the stuff that we have to fix before we will be able to get into the Linux without all the passwords. Okay. Let me get
04:42
to the talk. It's really slow. I really hope to get this working. Yay. Finally.
05:17
All right. So some time ago, we at Red Hat working on the identity management, on security,
05:29
on the stuff like free APA and SSSD, we started looking into a couple of things. So one of them is the how we can get passwordless into our systems. Mostly, we
05:46
talk about remote servers. And because that's what most of our customers are using. And many of those customers started asking about the thing that sort of required them to be
06:09
enforced for them from the governments and so on. So one of those things that is forced it is FIDO2 or WebAuth, because, well, everybody else supports it. Where everybody else means
06:22
all these Web applications, all the other operating systems like Microsoft Windows and the others. And, of course, there are properties that are related to this. They are all nice. But the reality is that you get all of this nicely working mostly in browsers, at least
06:49
on Linux. And not in all browsers. Some browsers do not support WebAuth and Workflow. Some do. But we need to get these logins into the actual systems. Because if you
07:02
are not able to log in into these systems, you cannot use this passwordless thing. And, of course, there are, from the technical point of view, it's a combination of some PAM modules and some changes to applications and so on. It shouldn't be that hard, right?
07:21
There are already PAM modules that implement this. The problem is that if you look at this from systematic point of view, if you manage thousands of hosts where you need to get access with the credentials stored somewhere, you need better than just everything
07:41
defined on the single machine. So we started looking into what we have. We have centralized identity management. We have free IPA. We have SSB on the client side that allows to query these different identity management, including free IPA and so on. So we started looking what we can create all of this. And we wanted to enable use of
08:07
FIDO2 in the console for these remote-managed users. We start with local authentication. This is what's working now. It didn't work like a couple of weeks ago. We're already
08:21
having some progress. And the second part will be remote authentication, but with a twist, because all the things like remote authentication using native SSH, for example, protocol, it's really not about this. It's not compatible with the local use of the FIDO2.
08:43
It encapsulates some of the principles, but it converts kind of use or assertion of the FIDO2 into a different form specific to SSH and cannot be reused for anything else. So the reality is that's coming from where all these governmental admins or big organizations
09:07
admins are getting the pressure from. This pressure came actually a year ago in the form of what they call zero trust memorandum. The zero trust memorandum is effectively
09:23
an answer by the Executive Office of the President of the United States to the set of threats that they got over the last decade, or visualized at least in public. So this memorandum basically states by the end of fiscal year 2024,
09:47
a number of things should happen in the governmental organizations. There are, I think, five big targets that they have to go, and one of these targets is to switch to passwordless
10:04
everywhere. And to say the truth, governmental organizations in the U.S. are already using passwordless form with smart cards. But WebAuthn is called out as one of the
10:21
recommended ways of doing it in the memorandum. So zero trust memorandum says that basically you have to use either personal identity verifications or smart cards, we already support that, and WebAuthn is another approach, and go there. There you go, you see the
10:43
customers or prospective customers getting pressure from those who drive them, who give the objects, and so on. And then these customers come to Red Hat and all other companies and ask
11:01
to get this working, because they have to comply. Not us comply with this, but the customers comply with this. The lucky part we have is that all of this is actually in the interest also of the community, because, well, it simply improves our state, not only at work,
11:22
but also at home. If we switch to passwordless, everywhere we get a bit secure environment, I hope, given the practices that we preach to at home. But this is the part. So if you have remotely managed users, basically define somewhere, centralize it,
11:46
your accounts, your POSIX identity, your home directory, your shell, and so on, somewhere should be defined which passwordless credentials you can use. These credentials
12:02
should be delivered locally, and if you have a device like this one, or maybe the one on the phone which we do not support yet, it needs to be verified, it needs to be engaged with, applied, and so on. And in this centralized environment, we often have to deal with the
12:28
fact that you are not only logging into the single machine, you're jumping somewhere, you are interoperating with other applications. Typically, this transfer of authentication state happens
12:41
through transition from your local authentication to something like Kerberos, which issues a ticket recording your authenticated state, and then uses this ticket to issue other tickets to other services in the environment that's being built. So on the high level,
13:05
it's in principle all the stuff that we deal with in FreeAPA and SSDS already. For FIDO2, this is the new thing for us, but we use libFIDO2 library that's already
13:22
existing and shipped in many distributions for the implementation of the FIDO2 stuff. We store the data at the LDAP server and fetch there, that's as this is the excel set, and the other part is we integrate with FreeAPA Kerberos implementation to provide the
13:45
transition from FIDO2 to Kerberos. So for the local authentication, what happens is that you have the SSDS running on the machine, it picks up the user information from LDAP record for that user, part of that record is the specification of the passkey record details, pretty much like
14:08
in the traditional way you store them somewhere on the disk, but here you store them remotely. Then when token is added and there is a need to log in over a PAM, any PAM service, you get
14:26
libFIDO2 communicating with the device and performing its magic, comparing with the record that you have. So in LDAP this looks like this. I intentionally included a bunch of
14:42
stuff here, but literally all we care about is that we have this passkey attribute and obviously in LDAP it's a structured store, so you have to have an object class that defines use of this attribute. And on IPA level this looks like this. There is a user information which also has
15:08
this passkey mapping. This is not in the released version of IPA yet. Hopefully by I hope by spring we will get this, but later I will show you where you can get the test version.
15:25
So in IPA case only you get after this login, which is apparently not working, so you get a Kerberos ticket. This is a high-level overview of how it goes in. The presentation is available
15:42
on the site, so I'm not focusing on describing these details, but effectively we extended MIT Kerberos implementation to allow us to communicate with the KDC all these details related to WebAuth and implementation. So behind KDC on the FreeAPA
16:08
server we have a relay and party implementation that performs part of this authentication and then uses Kerberos protocol to transfer the bits between the two sides. So test it. So this is
16:24
actually a demo of what I kind of ran before I got my presentation working. So this is the logged in screen this morning and to unlock I have to insert this passkey and press enter.
16:45
You don't see the part of the full message because it's so large compared to the actual input string that GDM shows. Then I just activate the device and magic happens, I logged in.
17:05
How you can play with this yourself if you want to set up? Iker wrote some instructions in this blog post and he maintains copper wrapper for Fedora, Fedora 36 and 37 at this point,
17:20
so you can get SSSD packages. There is one package that is not installed by default, this is exactly the support for FIDO2, SSSD-passkey. Then you need to enable it in the SSSD configuration, but if you follow Iker's instructions you should get it working.
17:40
Right now it only works with FreeAPA because we have in FreeAPA from that copper wrap because it has the support for storing the passkeys in the LDAP server. I will stop here because I have like three minutes and I would like to hear any questions
18:02
and feedback. This is sort of early stage. I will show a bit more in the afternoon with the bigger presentation that they have at the main track. There will be a bit more demos there, but we really would love to hear your feedback and what you want to see
18:23
working there. I have a question, so what happens if the key is lost or
18:47
stopped working or something like that? So what happens if the key is lost or stops working because it's a hardware that might blow up? Right?
19:02
That totally depends on how the system is defined. If the system is defined to allow fallback to other passkeys or it's allowed to use a different authentication method, the
19:21
key is lost. If the key is lost, for example, user or admin can remove from the user entry, you can remove the passkey mapping and then this user wouldn't be able to use this
19:40
passkey anymore. So in practice this is a process thing. You have to define your policies for organizational policies, how you handle any lost credentials. There's no difference with this. Some systems like, for example, Apple in macOS actually forces you to define
20:06
two separate passkeys, two separate tokens, if you enable one because they think that you most likely will lose one. They probably figure it out something about the users.
20:23
Okay. Any other question? Pass the hash. There's nothing to pass here. So the whole, I'm not going into details of WebAuth and implementation. It's fairly secure in this context. You have to have actual hardware
20:49
or software implementation of the token. You have to have exactly the same key. The private part of the key is typically not leaving the device, so it's fairly secure in that case.
21:04
Hi, it's Stefan here. Is it possible to add yet another factor to this authentication? Can you please speak up louder? Sorry. Can you add another factor to this key that you will bring? Like a
21:21
I'm sorry, I'm not here. Guys, could you please silence a bit? Sorry, I will speak out loud. Can you add another authentication factor to the process, like a TOTP token next to this physical key? So you're asking if there's a possibility to amend use of passkeys with something else?
21:44
Exactly. I believe it's possible to, because all of this is available over a PAM interface, you can stack up several PAM modules in it. In SSSD, that wouldn't be possible at this moment
22:00
to get it, but maybe this would be a good idea for going forward to allow extending and forcing to use several methods. Yeah, I will write this down. Okay, I guess I'm out of time. I think we can still have one last question if there is some. Okay.
22:26
Nice, nice technology. I have a question about username-less login. Is it also supported? Because this is the promise of FIDO2 that you can have discoverable credentials stored on the token, so the only thing you do is plug in the token and use a fingerprint. Does it also support username-less and password-less login?
22:45
So the question is whether login where a system, when you insert the token, identifies to which user this token belongs to. Does it work or not? Implementation right now does not support it.
23:05
There is a plan to support discoverable credentials. There are a few things that I would like to address in a presentation in the afternoon related to UX. Basically,
23:21
right now we have very limited in how graphical environments allow to do this discoverability. So, for example, for the smart cards, a couple years ago we changed Gnome, a GDM, to extend to allow picking up different identities from the smart card. And if user has, for example,
23:49
several identities associated with the same smart card, then GDM allows to pick up the right one. The same problem comes with the pass keys. Maybe I'm ended with the idea of discoverable
24:07
ones, but it's the same story. So it's more like not the backend, but the frontend, the one that presents you. And user experience is pretty bad right now on this, but the plan is to fix it
24:20
eventually. Okay, thank you, Alexander, for the talk. Thank you for all the questions.